ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

88 'high-risk' security defects found in Android kernel

By | November 2, 2010, 12:12pm PDT

Summary: The high-risk defects in the Android kernel included memory corruption flaws, memory illegal accesses and resource leaks.

A security audit of the Android kernel has turned up 88 “high-risk defects” with with significant potential to cause security vulnerabilities, data loss, or quality problems such as system crashes.

According to Coverity, a source code analysis firm, the high-risk defects included memory corruption flaws, memory illegal accesses and resource leaks.

The analysis was conducted against the Android kernel 2.6.32 (code named “Froyo”).  This kernel is targeted for smartphones based on the Qualcomm MSM7xxx/QSD8×50 chipset, specifically the HTC Droid Incredible. In addition to the standard kernel, this version includes support for wireless, touchscreen, and camera drivers.

Here’s the gist of Coverity’s findings:follow Ryan Naraine on twitter

  • The Android kernel used in the HTC Droid Incredible has about half the defects that would be expected for similar software of the same size.
  • The Android kernel has better than industry average defect density (one defect for every 1,000 lines of code); however the report discovered 359 defects that are believed to be in the shipping version of the HTC Droid Incredible. We believe the defects we found are a sample of what could be shipping in many OEMs devices and products that leverage the Android platform.
  • We found 88 high-risk defects in Android: 25% of the Android defects discovered, including memory corruptions, memory illegal accesses, and resource leaks, are considered high-risk with significant potential to cause security vulnerabilities, data loss, or quality problems such as system crashes. These are traditionally defect types that many of our customers fix and eliminate completely prior to shipping a product.
  • Accountability for Android software integrity is fragmented. The problem is no different with Android than what we see across open source. Android is based on Linux, which has thousands of contributors. Compound that with the Android developers from Google, the contributors to Android from the larger development community, and OEMs that supply components for specific configurations of Android to support different types of devices, and the lines of accountability are quickly blurred. It’s not clear who is ultimately accountable, but it is clear that a new level of visibility is needed to provide the OEMs that incorporate Android in their software supply chain with an objective measurement of Android software integrity.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Software, Defect, Kernel, HTC Droid Incredible, Android, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

58
Comments
Add Your Opinion

Join the conversation!

Just In

RE: 88 'high-risk' security defects found in Android kernel
linasmith 26th Aug
@Loverock Davidson yea agree with you that they ricks is always expected when using linux as your base. book report writing | Admission essay writing | thesis writing
View in thread
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
Loverock Davidson 2nd Nov 2010
Not surprised. Actually these risks were expected when you use linux as your base. And yo wonder why I stay clear of using it.
0 Votes
+ -
FLOSS security at work again
LBiege Updated - 2nd Nov 2010
"but... but... but... but... with many eyes reviewing the code our software is more secure than the proprietary one." FLOSS looks like a big fat government with each passing day good at only making beautiful and yet hollow promises just to fool the public.
0 Votes
+ -
did you even read the article?
~doolittle~ Updated - 3rd Nov 2010
@LBiege from the above post:

"The Android kernel used in the HTC Droid Incredible has about half the defects that would be expected for similar software of the same size"

"The Android kernel has better than industry average defect density"

Apparently "many eyes" appear to be doing a pretty good job. Let's see how long it takes to get these fixed.

In other news, Microsoft is a dying consumer brand. Don't take my word for it...
http://money.cnn.com/2010/10/27/technology/microsoft_pdc/index.htm

I also have to quote LD himself from his recent post:
http://www.zdnet.com/blog/security/two-year-old-data-leakage-flaw-still-haunts-internet-explorer/7604
"Its not a problem if there are no exploits."

I'm not going to comment on a two+ year old browser flaw. Except maybe they can use many more eyes.
0 Votes
+ -
Microsoft is a dying breed...
Michael Alan Goff 3rd Nov 2010
That's why their browser has the highest marketshare, their OS has the highest marketshare, and they're the industry standard.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
asg749d@... Updated - 3rd Nov 2010
@LBiege Well said below...
Has anyone done the same type of analysis on iOS? Os is it impossible because of its "close source" nature? I wonder.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
snoop0x7b 3rd Nov 2010
@LBiege Except someone spotted these bugs and they're being worked on right now. It's a lot better than having to wait for God knows when the OEM spots the bug (if ever).
0 Votes
+ -
RE: Microsoft is a dying breed...
~doolittle~ 4th Nov 2010
@goff256 wrote "That's why their browser has the highest marketshare, their OS has the highest marketshare, and they're the industry standard. "

Yes I believe they were comparing Android directly to Windows Mobile and gathered these conclusions:

"The Android kernel used in the HTC Droid Incredible has about half the defects that would be expected for similar software of the same size"

"The Android kernel has better than industry average defect density"

They just forgot to mention "when directly compared to Windows Mobile kernel..."
0 Votes
+ -
All you CrAppleholics and Microcrud Tards are Delirious w/ Joy!
i2fun@... 5th Nov 2010
@LBiege ....until you all find out that both of these companies have put out some of the most ridiculously flawed software on the planet! haha....

"So, how does Android stack up? Well, according to the report, the Android kernel has around half the bugs that would be expected for a project of its size, and has a better than industry average of defects per lines of code, with roughly one defect per 1,000 lines of code." quote by Adrian on ZDNet.

Note: Google Android uses "Clean Room" code development and Andy Rubin has stated that on average Android OS can be considered one of the Cleanest Coding Environments out there!

Since Ryan Retardo obviously manipulated this story based on their report to go two ways. #1 First way so you morons could feel good about beating up on Android as if there was anything to complain about and #2 the positive REALITY that was in this REPORT, that he intentionally slanted to get page hits!

If you had the sense enough to actually get the report, you'd see that "better than industry average of defects per lines of code" (as in around 1 per 1,000 lines) is in fact outstanding.

That's the reality and I'll bet even iOS wouldn't fare any better (most likely far worse). But we'll never know that, will we? Because it's closed source proprietary like Microsoft's. Who originally were putting out some of the dirtiest code on the planet from Quick and Dirty Operating System (QDOS) and PCDOS (MSDOS was better on purpose btw)! CrApple wasn't much better than MS, using college Code Slaves themselves. Instead of Code Warriors to develop their early code!

btw.... this is one very big reason Open Source is much cleaner than any proprietary code. It's a known fact that proprietary software hides their defects by using Closed Source as an excuse!

Linux is much cleaner than any other Operating System Code!
http://lwn.net/Articles/22623/

http://lwn.net/Articles/115530/

"(a) Industry Average: "about 15 - 50 errors per 1000 lines of delivered code." He further says this is usually representative of code that has some level of structured programming behind it, but probably includes a mix of coding techniques."

Quote taken from book "Code Complete" by Steve McConnell
http://stackoverflow.com/questions/862277/what-is-the-industry-standard-for-bugs-per-1000-lines-of-code

88potential flaws is a joke in relation to Millions of bits of code. This idiot just took advantage of all you morons ignorance. So take that you Microcrud losers and iCrAppleholics!!! wink
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
Zc456 3rd Nov 2010
@Loverock Davidson
Expect your using it right now... ZDnet's servers use Linux!
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
John Biles 3rd Nov 2010
@Loverock Davidson, Always the Linux basher aren't you!
I'll take my Buggy Linux over your Windows thingy anytime!
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
linasmith 26th Aug
@Loverock Davidson yea agree with you that they ricks is always expected when using linux as your base. book report writing | Admission essay writing | thesis writing
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
ALISON SMOCK 2nd Nov 2010
yeah...cause closed source is better? security via obscurity works so well everyone should use it
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
De-Void 2nd Nov 2010
@stebidri - don't deflect. The story is not about closed source software - it's about one of the most widely used OS for smartphones which thus has lots of eyes poring over it ... and yet, these bugs were not identified and fixed prior to shipping.

Sounds to me like the "many eyes" benefit claim is null and void at this point.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
snoop0x7b 3rd Nov 2010
@De-Void Or many eyes found the bugs... Although it was done with an automated tool and no one knows what they are yet, so it's tentative at best.
0 Votes
+ -
Six in one, half a dozen in the other...
ryanstrassburg Updated - 3rd Nov 2010
@stebidri
Open source has its benefits, but obviously has its flaws as well. Security through obscuirity is still one the most effective methods of security to date. FLOSS is not a bad idea, just a good one poorly implemented, but uncertain whether there is truly a good way to implement this. Military also practices this methodology of obscuring the facts.

FLOSS = Socialism = Fragmented Support. We learn this in economics. Where the many are responsible for the product, the product is not taken care of as well. Where the owner/creator has a direct benefit the yields are higher, the waste is lesser, and the overal economical contribution is greater... We call this capitalism. This is a fact of life, and I see no reason for it to differ with software or any other resource.
0 Votes
+ -
Alright rand paul...
jivester 3rd Nov 2010
@ryanstrassburg and Obama wasn't born in the US too right! Love extremism, there should be no government, no co-ops, individualism triumphs over all else, you only benefit from your own hard work right, after all we will in a true meritocracy right?
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
tkejlboom 4th Nov 2010
@ryanstrassburg

Where did you study economics? The myth of the tragedy of the commons has in most contexts, including this one, been dismissed.
0 Votes
+ -
Security by obscurity?
Third of Five 6th Nov 2010
@ryanstrassburg The problem with security by obscurity is that once you lose the obscurity, you lose the security. Even Microsoft themselves no longer follow a pure "security by obscurity" policy where problems were typically swept under the rug (which was pretty much the catalyst that brought the "full disclosure" movement into existence).

Also, the article itself paints a significantly brighter picture than the topic says: Froyo has fewer bugs than other software of comparable size and function, and the "high-risk" bugs are the kinds of things that generally get dealt with prior to shipping anyway.

The way to get real security is not by sweeping everything under the rug, but by making it secure in the first place, through rigorous testing and review. One popular way of securing something is what they do with safe deposit boxes--multiple keys, each from a different person, are required to open the door, thus avoiding the "single point of failure" problem.

As for the "socialism" thing, I assume that you don't use any public roads, take public transit, receive help from any police or fire departments, or consume any FDA-approved products? Socialism is all around you. The very idea of society is socialism. Even capitalism is tempered with socialism to a certain extent--if it weren't, we'd probably be back in the days of robber barons, child labor, and slavery.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
linasmith 26th Aug
@ALISON SMOCK yes that nice idea thanks for the great idea sharing with us we definitely use it. book report writing | Admission essay writing | thesis writing
0 Votes
+ -
Thank you Ryan Naraine
daikon 2nd Nov 2010
All software, including the Linux Kernel has bugs, Bugs do not equal a security exploit.
If a bug on any software or OS can be found before it becomes a Multi Billion dollar business for the wrong reasons, all the better. (A bug is an flaw)

Hooay!
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
shellcodes_coder 2nd Nov 2010
@Linux Rocks
Linoxe is the only one affected happy

Hooay!
0 Votes
+ -
What is Linoxe
daikon 2nd Nov 2010
@shellcodes_coder
You may be scared to say, I am not.
Linux is the only one affected. That may come to be.

That is the beauty of Open Source, continuously scrutinized every day by developers and users around the world, as well as firms like Coverity, The result? Flaws are found and fixed.
Hey there are 291 Open Source projects that Coverity scans code all the time.

(Hooay!) Sad that you chose to mock a United States Army battle cry, Truly sad.

Hooay!
0 Votes
+ -
flaw fixed, not for andrid
magallanes Updated - 3rd Nov 2010
@shellcodes_coder

most android cellphones are still running 1.5 and 1.6, some are struck in 2.0 and 2.1 and the (very few ones or too new) can run 2.2. For Android, there is not think as a weekly patch and some manufacturer launch a patch once every 3 months and, for the worst, some carrier delay it and allow to launch a new patch once a year.

Google Nexus is the only exception of the rule
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
jivester 3rd Nov 2010
@magallanes 77% of android phones have 2.0 or higher
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
tkejlboom 4th Nov 2010
@shellcodes_coder

I don't think it's all Linux, either.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
shellcodes_coder 2nd Nov 2010
Blame Linoxe
0 Votes
+ -
Not a big surprise
wackoae 2nd Nov 2010
Google keeps releasing new versions of Android without any real SQA, expecting the OEMs to do their own. Unfortunately, the OEMs only SQA their own changes and assume that Google did their job before releasing the code as "stable".

Although I can see Google's point (they are giving away the code for free ... the least the OEMs could do is run independent SQA), in the end, they are the makers of a product and should be responsible for doing the SQA for the product with their brand name.
0 Votes
+ -
Unfortunately for android this is just the tip of the iceberg
Johnny Vegas 2nd Nov 2010
But it still shows how pathetic google code quality is. At least no one should be surprised any longer that their android devices lockup or crash several times a week. I certainly wouldn't be surprised if almost all of these problems were spotted with static code analysis tools that google could have or did run themselves. they really just dont give a sh*t. they are fine with fixing everything after there are 100's of 1000's of people screwed by it. Hopefully make this public will force them to start addressing them now and clean up their slipshod attitude towards continously shipping pre beta quality product.
0 Votes
+ -
No kidding
wackoae 2nd Nov 2010
@Johnny Vegas The few lines of refactored code Oracle showed said a lot about the lack of quality in coding standards in the Android dev team.

For example, one of the sample code showed how a simple for loop was changed with a while(true) .... showing a one of the WORST programing practice and the poor quality in the part of the developer who wrote it.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
kb5ynf Updated - 3rd Nov 2010
@Johnny Vegas

I use a Nexus One and it is the most stable smart phone I've ever seen. It's easily more stable than my wife's iPhone which does screw up ever so often and have to be rebooted (much more often than it should) and the difference between Windows Mobile is like night and day. I've had my Nexus One for about a year now and it has locked up maybe twice in that time. I've only had to reboot it two or three times since I've had it and at least one of those was for the 2.2 upgrade.

I don't know much about other Android phones and their reliability but mine has been excellent. Also, my son has a Samsung Galaxy and it has shown the same level of reliability thus far.

Maybe some Android phones suffer from reliability issues but that certainly is not the case for all of them.

Regards,
0 Votes
+ -
here here
jivester 3rd Nov 2010
@kb5ynf here here
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
snoop0x7b 3rd Nov 2010
@kb5ynf My Eris has been great aside from the broken screen (which I repaired myself)...
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
jivester 3rd Nov 2010
@Johnny Vegas yah cause search, gmail, chrome, docs, all suck right compared to the compitition. I like bleeding edge, so does Google., so I participate and give feedback and as a result, I get to use the best stuff out there. What story do you know of someone getting screwed?
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
snoop0x7b 3rd Nov 2010
@Johnny Vegas
1. My Eris has never crashed or locked up
2. We don't know what these bugs are yet because they haven't been disclosed... They were discovered by an automated tool which makes their status tentative pending human verification.
3. The bug density is lower than the industry average per line of code.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
Aussie_linux_user 4th Nov 2010
@Johnny Vegas ..... I've had my HTC Desire for months.. I am very selective about the apps I install... my phone has never locked up or crashed.. let alone several times a week.. I have seen some strange and buggy apps ... I'd like to see the statistics around your claim, as it is not my experience..
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
richdave 5th Nov 2010
@Aussie_linux_user
>>>I'd like to see the statistics around your claim

Not a claim. An unfounded assertion pulled from his nether region.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
clfitz 4th Nov 2010
@Johnny Vegas
I've had my Droid since March, and have rooted it and installed 2.2. Smooth as silk, no lockups or crashes. (And it's overclocked.)
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
dubbsix Updated - 3rd Nov 2010
I figure we are all beta testers -- those of us who own Android based phones. My phone(s) reboot without warning and just general beta like behavior. Open platforms are cool at first and then everyone figures out that the next killer app they download from the app market might be the one that steals their data. Google.. you have to have some responsibility for the code you release. We've seen Google take the hands off approach to managing their hardware when they released the Nexus ONE and then refused to answer support calls on it. If WP7, or RIM get their act together im ditching Android.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
snoop0x7b 3rd Nov 2010
@dubbsix I've never had my phone reboot without warning. I've never had my phone randomly lock up. Have you ever used an android phone?
0 Votes
+ -
...compared to similar projects
R_Connelie@... 3rd Nov 2010
I am amused by the amount of talkbacks that either ridicule Google for the flaws, or praise Open Source for helping folks to find/fix the flaws.

Here's the most interesting quote from the article that everyone seems to have missed:
"The Android kernel used in the HTC Droid Incredible has about half the defects that would be expected for similar software of the same size."

Put another way, the Android kernel that was tested has fewer flaws than nearly every other comparable project. Comparable projects should include the Windows 7 Mobile kernel, Symbian kernal, WebOS kernel, iOS kernel, Blackberry kernel, and others...

Truth be told, I don't know whether to attribute this achievement to the Android codebase released by Google, or HTC for their repackaging/compilation of Android. Regardless, interesting stuff.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
richdave Updated - 5th Nov 2010
@R_Connelie@...
>>>Put another way, the Android kernel that was tested has fewer flaws than nearly every other comparable project.

So, regarding kernel flaws Android is 2 times as good as everything else. Any other way to read that?
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
stevec611 3rd Nov 2010
Have Coverity published openly the details of their 88 issues? When I look at their website I can't find anything except how to subscribe to their publicity machine.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
snoop0x7b Updated - 3rd Nov 2010
@stevec611 They haven't disclosed the bugs yet. They've said pending fixes... I'd like to know what the bugs are to actually evaluate if they're critical for myself.
0 Votes
+ -
I Don' Need No Stinkin' Open Platform
thofts 3rd Nov 2010
Hello. Mr. Joe Average consumer here. Wall my garden. Just what can I do on an "open" mobile device that I can't on my iPhone. Only answers that apply to real life situations please. Thanks.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
Lightning546 3rd Nov 2010
@thofts You can use your phone on a carrier that doesn't drop your calls (AT&T), has decent customer service (that eliminates Sprint and AT&T), 3G in way more places than AT&T ever thought about or has. And most importantly, you can customize your phone the way you want it, rather than live with what Apple wants you to have or use.
0 Votes
+ -
I think a lot
jivester 3rd Nov 2010
@thofts wireless tethering to start , changes to the basic functioning of the phone like keyboards (much smarter than stock...for now), changes to how text message displays and notifies you, use applications that require multitasking and use that multitasking better, install apps not from the specified app market, send websites directly from you PC to your phone or vice-versa, install apps directly from the web on the PC to the phone...no wires. Not to mention other things that are pure Android like turn-by-turn driving navigation, and cloud backup of settings, mail, contacts, etc... Then there are reason that are just because its not Apple like expandable memory and changeable batteries.

just to name a few,
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
snoop0x7b 3rd Nov 2010
@thofts Tethering. I can plug a USB cable into my phone, plug it into my computer, and then use my data plan on my computer without hacking the phone.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
tkejlboom 4th Nov 2010
@thofts

Swype
Trillian(beta) for free!
Couple others I tried and decided I didn't like. Essentially, whatever I want. I'm not dependent upon the android market at all.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
Lightning546 Updated - 3rd Nov 2010
I have the Driod X and it has been left on 24/7 since the day I got it 2 months ago. I have yet to experience any problems whatsoever with this phone, unlike the myriad of problems and issues I experienced with the (3) piece of junk blackberry storms I had over a 2 year period.

The only issue I have with the Android OS is the total lack of support for Outlook Email, unless you pay Google through the nose for premium programming content.
0 Votes
+ -
RE: 88 'high-risk' security defects found in Android kernel
clfitz 4th Nov 2010
@Lightning546
I was able to set up the Exchange account at work to use on my Droid, with the limitation that I had be inside our network. We have a WAP here, so that wasn't a problem for me. (I'm not sure what your situation is, of course.)

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix